£500K data breach fines not enough

The ICO's Jonathan Bamford defended the fines at a privacy event in London

The recently sanctioned fine of £500,000 for organisations that fail to protect individuals' data is not enough, according to a poll undertaken by the Information Commissioner's Office (ICO) at a privacy event Tuesday.

The ICO was granted the power to levy the fine in April, in an attempt to limit personal data security breaches and promote compliance with the Data Protection Act. However, nearly 70 per cent of attendees at the Fine Balance event on Tuesday said that the amount is too low.

The 55 delegates hailed from central government, lobbying groups, academia, the technology industry, the scientific community and the press.

The event was organised to discuss how privacy can be protected in an increasingly digital society, and was the fourth to be held since 2005.

Jonathan Bamford, head of strategic liaisons at the ICO, recognised that the fine could be too low for large institutions such as banks, but could be perceived as too high for small businesses.

"People expect that collection of their personal information is a part of modern life, but at the same time it makes them uneasy, and they do expect safeguards to be there to protect them," he said during the conference keynote.

"I do not want a situation where we have to use bigger sticks, but by God am I prepared to use them."

Bamford referred to ICO data collected last year in an effort to understand what the public sees as the government's top social priorities.

Preventing crime was top of the list, but protecting personal information was second and was considered a more important priority than unemployment, the NHS and national security.

Bamford explained that the public expects technology companies to have a role in protecting their data.

"People find it astonishing that technology companies do not foresee the risks and look after them," he said.

However, Chris Gavin, information security vice president at Oracle, said at the event that, although technology companies should be part of the debate, they are "not the answer".

"People want more guarantees about security, but technology can only support and not create privacy," he said. "I don't think there is such a thing as privacy enhancing technology, although there is privacy awareness technology."

Bob Cockshott, head of location and timing at the Digital Systems Knowledge Transfer Network (KTN), a UK computing and security body, claimed that, although the public is concerned about the privacy of their data, they are growing accustomed to more failings in data protection.

The Digital Systems KTN organises the Fine Balance event with sponsorship from the Technology Strategy Board, and Cockshott was in charge of organising the conference in 2008.

"The last time we held this event, two government CDs holding public data had just gone missing, and this event was filled with press and camera crews. Now people seem to just be getting used to it," he said.